Symantec warns of more malicious apps on Android
Google Play still serving up malware and adware, security company says
Google Play store is still plagued with rogue apps and malware, according to Symantec.
The security company is warning of a number of malicious apps disguised as games and education apps, as well as a set of malicious apps which keep reappearing on the Google Play store despite being reported to Google.
Symantec discovered 38 malicious apps in the Google Play Store disguised as games and education apps. They hide their existence by removing their icons from the home screen once they are installed, and redirecting victims to install another app, with minimal functionality, on Google Play that displays a large amount of advertising.
While staying undercover, the malicious app has a background service that constantly checks the device's network connectivity status. Once network connectivity is available, the app checks if the compromised device has installed any of the previously mentioned 37 malicious apps. If none of them are present, the app will load several URLs in the background. The URLs lead to various blogs and it is likely the app is being used to increase web traffic to these sites.
Another set of malicious apps have reappeared in the Play Store under a slightly different name and publisher even after Google removed the original app.
The malware, named Android.Reputation.1, appears on the Play Store hidden in at least seven apps offering emoji keyboard additions, space cleaners, app lockers, calculators and call recorders. None of the apps actually have the functions advertised, but simply serve to get the user to install the malware, which then hides itself.
The family of apps have the same set of tricks designed to take advantage of the device user. The malware is configured to wait for four hours before launching its malicious activity, so as not to arouse user suspicion straight away. If the user isn't tipped off right after app installation, they're less likely to attribute strange behaviour to the true culprit.
The app is looking to raise the barrier for its uninstallation and is usurping trusted branding to pull it off. The app uses the Google Play icon when requesting device administrator privileges.
The app has the ability to change its launcher icon and its "running apps" icon in the system settings once installed. Again, it uses well-known and trusted icons-specifically that of Google Play and Google Maps-to allay suspicion.
The malware pushes ads to the user, and URLs to scam sites. It also connects to a command & control server.
Symantec suggests that users should install proper mobile security software as well as avoiding downloads from unfamiliar sites or sources that they don't trust, and to pay close attention to the permissions requested by apps.